IT due diligence checklist for evaluating MSPs


It’s never been a more critical time to outsource technology needs to an MSP

If you are just starting the process, before you sign on the dotted line, there are some things to consider to make sure you find the right provider for your needs.

The goal, of course, is to get quality service while reducing operational costs. You want to work with a provider that has the necessary credentials as well as experience and expertise.

After you determine what services you need, it’s a good idea to ask how long the MSP has been in business and what type of skills their staff has. Do they have the appropriate training and certifications and experience in your specific needs areas?

In short, consider this a job interview—so you’ll also want to ask if they provide references and testimonials? Again, a reputable MSP should be able to provide this.

From there, you can delve into the following areas.

Service level agreements

It’s important to put in writing the terms, conditions, and services the provider will be offering, as well as the guaranteed uptime. You should also ask if the MSP has worked with businesses of similar sizes and the same or similar industries?

Make sure the MSP has offerings that match the needs of your business—and will in the future.

Most MSPs offer one-year and three-year terms. Note that a one-year term may mean a higher contract price. Check also to see if their contracts include auto-renewals.

Other areas to consider are whether their termination clauses are clearly defined, and do they have insurance? In the latter instance, if they do, what does it/does it not cover?

Support and availability

You want to ensure your business can run effectively and the provider will be responsive in a timely manner if a problem arises. Otherwise, downtime will cause your business to suffer. It’s important to ask what their response time is for IT issues.

Also, what is their guaranteed uptime? Conversely, how long will it take to recover systems in the event of an outage?

Further, does the MSP offer 24x7x365 support? And will there be a dedicated account or support person for your business? Some MSPs outsource their services such as backup and recovery and data centers to other third parties, so they should detail how issues will be handled when multiple vendors are involved.

Disaster recovery

An experienced MSP should be able to execute a robust disaster recovery and business continuity plan for your organization. This entails conducting a risk assessment and a business impact analysis. This exercise is done to help identify the events that can affect your operations, as well as their potential impacts and severity.

When you have this information you can determine what measures to take and whether the MSP has the resources to reduce your risk for disaster and ensure business continuity.


Some MSPs are also adding managed security services to their arsenals to proactively manage and monitor customer and home office environments to detect and prevent threats.

If you are looking to enhance your internal security, it’s a good idea to ask the MSP if they have developed a formal cybersecurity plan. Also, do they offer remote monitoring and management (RMM)? How about security training for your employees to improve your company’s cybersecurity posture?

Related reading: Building a rock-solid MSP tech stack

Other considerations are how frequently does the MSP do patches and systems update, and are they automated? What type of network security protocols and systems have they implemented? How often do they deploy new security software?

Depending on your needs, you may also want to ask whether the MSP uses commercial-grade firewalls, offers intrusion detection and prevention, antivirus and anti-malware software, email security with encryption, and multifactor authentication, to name a few.

For organizations looking for more advanced security services, you’ll want to know if the provider has a 24x7x365 security operations center (SOC) and whether they understand regulatory compliance requirements.

Cloud migration

Many businesses are now moving business processes and applications to the cloud. If this is a consideration, ask the MSP if they offer migration services, and if so, what that includes?

Again, experience is key here. Does the MSP provide ongoing support? Do they have tools that automate the process? The provider must ensure that there will be zero downtime during the migration, and they should create a parallel cloud environment so that users can test before they go live.

Once your operations are in the cloud, you’ll also want to know whether the MSP can manage your cloud data on an ongoing basis, as well as deliver services to scale your business.

This is all time-consuming, yes. But the devil’s in the details. Don’t have any regrets—do your due diligence.

read moreicon